The financial sector faces growing cyber threats that could disrupt critical services and undermine public trust. Recognising this challenge, the European Union (EU) has introduced the Digital Operational Resilience Act (DORA), a comprehensive and all-encompassing regulatory framework to enhance financial institutions' cybersecurity and operational resilience across the EU.
DORA represents a significant step in the EU's efforts to create a more secure and resilient financial ecosystem. The financial system is highly interconnected, making it a prime target for cybercriminals. Steve Armstrong-Godwin is a SANS Principal Instructor, author of the SANS LDR553TM: Cyber Incident ManagementTM course, and Lead of Security Incident Response and Threat Management at Danske Bank. “What it comes down to is that money makes the world go round”, Armstrong-Godwin says. “So, the two major ways that a threat actor would compromise a country are to hit the power or the money. DORA represents a requirement being placed on EU financial institutes to be resilient to cyber-attacks”.
The regulation builds on existing cybersecurity frameworks and introduces new obligations that compel organisations to rethink their approach to digital security. It encompasses a wide range of financial entities, including banks, insurance companies, investment firms, and crypto-asset service providers. It sets out uniform requirements for information communication technology (ICT) risk and incident management, incident classification and reporting, digital operational resilience testing, information sharing, and the management of ICT third-party risk. The goal is not only to protect organisations but also to safeguard the entire financial ecosystem, ensuring that it remains stable and trustworthy even in the face of large-scale cyber threats.
Implications and challenges of DORA
For many organisations, one of the immediate effects of DORA will be a shift in focus towards ICT risk management. Companies must develop comprehensive strategies for identifying, assessing, and mitigating risks associated with their information and communications technology infrastructure. Armstrong-Godwin points out that “good ICT-related management and classification is knowing what is critical to your organisation and to ensure how you can quickly recover if those systems are compromised”. This involves not only identifying and assessing risks but also implementing appropriate measures to mitigate them.
Additionally, DORA extends its reach beyond the organisation itself, imposing strict requirements on third-party providers. Financial institutions often rely heavily on external service providers for critical ICT services, which can introduce additional vulnerabilities. DORA requires organisations to carefully assess and monitor the risks associated with these third-party relationships. “You need to understand fully who is in your supply chain, identifying which suppliers are critical and ensuring they meet the same resilience standards”.
The regulation also introduces new incident reporting obligations, requiring financial entities to report significant ICT-related incidents (including their direct and indirect cost) to relevant authorities within specified timeframes. This emphasis on timely and comprehensive reporting aims to improve the overall visibility of cyber threats across the sector and enable more effective responses.
Another significant challenge is the potential complexity of implementing DORA's requirements, especially for smaller organisations or those new to such comprehensive regulatory frameworks. The regulation's emphasis on proportionality means that the specific measures required may vary depending on an organisation's size, complexity, and risk profile. However, determining what is ‘proportional’ can be a challenge in itself. “Also, the cost of compliance with DORA may be substantial; upgrading systems, conducting resilience testing and managing third-party risks require significant investment. However, if done efficiently, the long-term benefits of compliance – such as avoiding fines, maintaining customer trust and preventing costly disruptions – far outweigh the initial expenses”.
Intertwining DORA, TIBER-EU, and NIS2
DORA does not exist in isolation but forms part of a broader ecosystem of cybersecurity regulations and frameworks in the EU. It closely ties with initiatives such as TIBER-EU (Threat Intelligence-based Ethical Red Teaming) and the NIS2 Directive (Network and Information Security).
TIBER-EU is a framework for intelligence-led red teams testing financial entities' critical live production systems. “TIBER is a requirement to demonstrate your ability to detect and respond to attacks. It's more of a practical demonstration of your external footprint, the attack surface you present, the external vulnerabilities, and the patching mechanisms you do to close those down”, Armstrong-Godwin explains. While not directly part of DORA, TIBER-EU tests can provide valuable insights into an organisation's operational resilience and help meet DORA's testing requirements.
The NIS2 Directive, on the other hand, is a broader cybersecurity regulation that applies to various sectors beyond finance. While there is some overlap between DORA and NIS2, DORA is specifically tailored to the financial industry and goes into greater depth on specific requirements. “Being DORA compliant should help your NIS compliance, and if you've been working toward this for the last couple of years, then you should be very closely aligned with what your DORA requirements will be”.
Preparing for DORA
Given the comprehensive nature of DORA and its potential impact on organisations, financial entities must prepare well before its implementation. Armstrong-Godwin offers ten critical steps for organizations to consider:
- Understand the requirements: Thoroughly review and comprehend DORA's regulations. Armstrong-Godwin suggests using resources that provide clear summaries of each article. Then map these, via a stakeholder based RACI matrix to the DOAR Articles and Chapters, as this will ensure you can allocate tasks and ensure that some of the broad aspects on incident response for example are covered.
- Conduct a gap analysis: Assess your current practices against DORA's requirements to identify areas that need improvement. Get support from organisation’s SMEs as only they can deep dive into the Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) as these require know how of the procedures and implementation.
- Enhance ICT risk management: Develop or improve procedures for identifying, assessing, and monitoring ICT risks. Ensure you have a robust risk management platform that aligns with financial sector standards.
- Improve incident reporting processes: Establish clear protocols for timely and accurate incident reporting. Define who is authorised to report and how to report and develop templates and guidelines for various scenarios (start with the provided standards and guidelines).
- Review and update third-party agreements: Examine existing contracts with ICT service providers. Introduce new requirements for accountability and monitoring that align with DORA's stipulations.
- Develop and test a business continuity plan: If you don't have one, create a comprehensive business continuity plan. If you do have one, ensure it is up-to-date and regularly tested.
- Educate employees: Ensure that all employees, including those who might be in standby positions for key roles, understand their roles and responsibilities under DORA. Run educational sessions for “Service Owners” of critical services that are in scope for DORA, so they are aware what’s coming and what information they’ll need to provide in case of a major incident.
- Engage with authorities: Proactively communicate with relevant regulatory bodies to understand their expectations, focus areas, and any guidance they can provide. While Article 45 addresses the need for information sharing (related to cyber threats and intelligence securely and efficiently), seek guidance from your national authority on how they believe this should occur and get onto those platforms to get access to others shared threat intel.
- Prepare for audits: Organise your documentation and evidence of compliance. Ensure that all teams have audit-ready materials and understand the audit process.
- Monitor ongoing developments: Monitor changes in the regulatory landscape, new guidance, and best practices as DORA implementation progresses.
Armstrong-Godwin emphasises that “if organisations haven't started these steps already, they need to begin immediately, as some aspects, particularly updating third-party agreements, can take considerable time to implement fully”.
Enhancing Operational Resilience
Organisations don't have to go at it alone in preparing for DORA. Training and education providers like SANS can play a crucial role in helping organisations build the skills and knowledge needed to meet DORA's requirements. Armstrong-Godwin highlights several SANS courses that can be particularly helpful, including SEC504TM: Hacker Tools, Techniques, and Incident ResponseTM, LDR553: Cyber Incident Management and, SEC566TM: Implementing and Auditing CIS ControlsTM covering the 20 critical security controls.
“If you're quite new to this, the 20 critical controls help you get a grip on things whilst also mapping that across to the DORA requirements, which would be a good start”.
While DORA presents significant challenges for financial organisations, it also offers an opportunity to enhance operational resilience and build greater trust in the digital financial ecosystem. Organisations can achieve compliance and strengthen their overall cybersecurity posture by taking a proactive approach to understanding and implementing DORA's requirements. As the financial sector continues evolving in an increasingly digital world, DORA is crucial to ensuring its stability, security, and resilience.
Stay ahead of cyber threats and compliance challenges—explore the SANS DORA Resource Hub for actionable advice on building resilience in the financial sector.
